Esc
Event Triggered Execution - T1546
(ATT&CK® Technique)
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1546["Event Triggered Execution"] --> |loads| SharedLibraryFile["Shared Library File"]; class T1546 OffensiveTechniqueNode;
class SharedLibraryFile ArtifactNode; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile";
click T1546 href "/offensive-technique/attack/T1546/"; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile";
T1546["Event Triggered Execution"] --> |may-create| ExecutableScript["Executable Script"]; class T1546 OffensiveTechniqueNode;
class ExecutableScript ArtifactNode; click ExecutableScript href "/dao/artifact/d3f:ExecutableScript";
click T1546 href "/offensive-technique/attack/T1546/"; click ExecutableScript href "/dao/artifact/d3f:ExecutableScript";
T1546["Event Triggered Execution"] --> |may-modify| ExecutableScript["Executable Script"]; class T1546 OffensiveTechniqueNode;
class ExecutableScript ArtifactNode; click ExecutableScript href "/dao/artifact/d3f:ExecutableScript";
click T1546 href "/offensive-technique/attack/T1546/"; click ExecutableScript href "/dao/artifact/d3f:ExecutableScript";
T1546["Event Triggered Execution"] --> |modifies| PowerShellProfileScript["PowerShell Profile Script"]; class T1546 OffensiveTechniqueNode;
class PowerShellProfileScript ArtifactNode; click PowerShellProfileScript href "/dao/artifact/d3f:PowerShellProfileScript";
click T1546 href "/offensive-technique/attack/T1546/"; click PowerShellProfileScript href "/dao/artifact/d3f:PowerShellProfileScript";
T1546["Event Triggered Execution"] --> |modifies| ShimDatabase["Shim Database"]; class T1546 OffensiveTechniqueNode;
class ShimDatabase ArtifactNode; click ShimDatabase href "/dao/artifact/d3f:ShimDatabase";
click T1546 href "/offensive-technique/attack/T1546/"; click ShimDatabase href "/dao/artifact/d3f:ShimDatabase";
T1546["Event Triggered Execution"] --> |loads| ExecutableBinary["Executable Binary"]; class T1546 OffensiveTechniqueNode;
class ExecutableBinary ArtifactNode; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary";
click T1546 href "/offensive-technique/attack/T1546/"; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary";
T1546["Event Triggered Execution"] --> |may-create| PropertyListFile["Property List File"]; class T1546 OffensiveTechniqueNode;
class PropertyListFile ArtifactNode; click PropertyListFile href "/dao/artifact/d3f:PropertyListFile";
click T1546 href "/offensive-technique/attack/T1546/"; click PropertyListFile href "/dao/artifact/d3f:PropertyListFile";
T1546["Event Triggered Execution"] --> |may-modify| ExecutableBinary["Executable Binary"]; class T1546 OffensiveTechniqueNode;
class ExecutableBinary ArtifactNode; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary";
click T1546 href "/offensive-technique/attack/T1546/"; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary";
T1546["Event Triggered Execution"] --> |may-modify| PropertyListFile["Property List File"]; class T1546 OffensiveTechniqueNode;
class PropertyListFile ArtifactNode; click PropertyListFile href "/dao/artifact/d3f:PropertyListFile";
click T1546 href "/offensive-technique/attack/T1546/"; click PropertyListFile href "/dao/artifact/d3f:PropertyListFile";
T1546["Event Triggered Execution"] --> |may-modify| SystemConfigurationDatabaseRecord["System Configuration Database Record"]; class T1546 OffensiveTechniqueNode;
class SystemConfigurationDatabaseRecord ArtifactNode; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord";
click T1546 href "/offensive-technique/attack/T1546/"; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord";
T1546["Event Triggered Execution"] --> |modifies| ExecutableBinary["Executable Binary"]; class T1546 OffensiveTechniqueNode;
class ExecutableBinary ArtifactNode; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary";
click T1546 href "/offensive-technique/attack/T1546/"; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary";
T1546["Event Triggered Execution"] --> |modifies| SystemConfigurationDatabaseRecord["System Configuration Database Record"]; class T1546 OffensiveTechniqueNode;
class SystemConfigurationDatabaseRecord ArtifactNode; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord";
click T1546 href "/offensive-technique/attack/T1546/"; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord";
T1546["Event Triggered Execution"] --> |modifies| UserInitConfigurationFile["User Init Configuration File"]; class T1546 OffensiveTechniqueNode;
class UserInitConfigurationFile ArtifactNode; click UserInitConfigurationFile href "/dao/artifact/d3f:UserInitConfigurationFile";
click T1546 href "/offensive-technique/attack/T1546/"; click UserInitConfigurationFile href "/dao/artifact/d3f:UserInitConfigurationFile";
T1546["Event Triggered Execution"] --> |executes| Command["Command"]; class T1546 OffensiveTechniqueNode;
class Command ArtifactNode; click Command href "/dao/artifact/d3f:Command";
click T1546 href "/offensive-technique/attack/T1546/"; click Command href "/dao/artifact/d3f:Command";
T1546["Event Triggered Execution"] --> |modifies| SystemConfigurationDatabase["System Configuration Database"]; class T1546 OffensiveTechniqueNode;
class SystemConfigurationDatabase ArtifactNode; click SystemConfigurationDatabase href "/dao/artifact/d3f:SystemConfigurationDatabase";
click T1546 href "/offensive-technique/attack/T1546/"; click SystemConfigurationDatabase href "/dao/artifact/d3f:SystemConfigurationDatabase";
T1546["Event Triggered Execution"] --> |produces| Process["Process"]; class T1546 OffensiveTechniqueNode;
class Process ArtifactNode; click Process href "/dao/artifact/d3f:Process";
click T1546 href "/offensive-technique/attack/T1546/"; click Process href "/dao/artifact/d3f:Process";
T1546["Event Triggered Execution"] --> |creates| Shim["Shim"]; class T1546 OffensiveTechniqueNode;
class Shim ArtifactNode; click Shim href "/dao/artifact/d3f:Shim";
click T1546 href "/offensive-technique/attack/T1546/"; click Shim href "/dao/artifact/d3f:Shim";
T1546["Event Triggered Execution"] --> |invokes| CreateProcess["Create Process"]; class T1546 OffensiveTechniqueNode;
class CreateProcess ArtifactNode; click CreateProcess href "/dao/artifact/d3f:CreateProcess";
click T1546 href "/offensive-technique/attack/T1546/"; click CreateProcess href "/dao/artifact/d3f:CreateProcess";
T1546["Event Triggered Execution"] --> |modifies| EventLog["Event Log"]; class T1546 OffensiveTechniqueNode;
class EventLog ArtifactNode; click EventLog href "/dao/artifact/d3f:EventLog";
click T1546 href "/offensive-technique/attack/T1546/"; click EventLog href "/dao/artifact/d3f:EventLog";
T1546["Event Triggered Execution"] --> |modifies| ConfigurationResource["Configuration Resource"]; class T1546 OffensiveTechniqueNode;
class ConfigurationResource ArtifactNode; click ConfigurationResource href "/dao/artifact/d3f:ConfigurationResource";
click T1546 href "/offensive-technique/attack/T1546/"; click ConfigurationResource href "/dao/artifact/d3f:ConfigurationResource";
T1546["Event Triggered Execution"] --> |creates| ExecutableFile["Executable File"]; class T1546 OffensiveTechniqueNode;
class ExecutableFile ArtifactNode; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile";
click T1546 href "/offensive-technique/attack/T1546/"; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile";
T1546["Event Triggered Execution"] --> |may-create| IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; class T1546 OffensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode; click IntranetAdministrativeNetworkTraffic href "/dao/artifact/d3f:IntranetAdministrativeNetworkTraffic";
click T1546 href "/offensive-technique/attack/T1546/"; click IntranetAdministrativeNetworkTraffic href "/dao/artifact/d3f:IntranetAdministrativeNetworkTraffic";
T1546["Event Triggered Execution"] --> |produces| IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; class T1546 OffensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode; click IntranetAdministrativeNetworkTraffic href "/dao/artifact/d3f:IntranetAdministrativeNetworkTraffic";
click T1546 href "/offensive-technique/attack/T1546/"; click IntranetAdministrativeNetworkTraffic href "/dao/artifact/d3f:IntranetAdministrativeNetworkTraffic";
DecoyFile["Decoy File"] -->
| spoofs | ExecutableBinary["Executable Binary"];
DecoyFile["Decoy File"] -.->
| May Deceive | T1546["Event Triggered Execution"] ;
class DecoyFile DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile";
DecoyFile["Decoy File"] -->
| spoofs | SharedLibraryFile["Shared Library File"];
class DecoyFile DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile";
DecoyFile["Decoy File"] -->
| spoofs | ExecutableScript["Executable Script"];
class DecoyFile DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile";
DecoyFile["Decoy File"] -->
| spoofs | UserInitConfigurationFile["User Init Configuration File"];
class DecoyFile DefensiveTechniqueNode;
class UserInitConfigurationFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile";
DecoyFile["Decoy File"] -->
| spoofs | PowerShellProfileScript["PowerShell Profile Script"];
class DecoyFile DefensiveTechniqueNode;
class PowerShellProfileScript ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile";
DecoyFile["Decoy File"] -->
| spoofs | ExecutableFile["Executable File"];
class DecoyFile DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile";
DecoyFile["Decoy File"] -->
| spoofs | PropertyListFile["Property List File"];
class DecoyFile DefensiveTechniqueNode;
class PropertyListFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile";
DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | ExecutableScript["Executable Script"];
DynamicAnalysis["Dynamic Analysis"] -.->
| May Detect | T1546["Event Triggered Execution"] ;
class DynamicAnalysis DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click DynamicAnalysis href "/technique/d3f:DynamicAnalysis";
EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | ExecutableScript["Executable Script"];
EmulatedFileAnalysis["Emulated File Analysis"] -.->
| May Detect | T1546["Event Triggered Execution"] ;
class EmulatedFileAnalysis DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis";
EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | ExecutableBinary["Executable Binary"];
class EmulatedFileAnalysis DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis";
DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | ExecutableBinary["Executable Binary"];
class DynamicAnalysis DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click DynamicAnalysis href "/technique/d3f:DynamicAnalysis";
DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | PowerShellProfileScript["PowerShell Profile Script"];
class DynamicAnalysis DefensiveTechniqueNode;
class PowerShellProfileScript ArtifactNode;
click DynamicAnalysis href "/technique/d3f:DynamicAnalysis";
DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | ExecutableFile["Executable File"];
class DynamicAnalysis DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click DynamicAnalysis href "/technique/d3f:DynamicAnalysis";
EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | PowerShellProfileScript["PowerShell Profile Script"];
class EmulatedFileAnalysis DefensiveTechniqueNode;
class PowerShellProfileScript ArtifactNode;
click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis";
EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | ExecutableFile["Executable File"];
class EmulatedFileAnalysis DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis";
AdministrativeNetworkActivityAnalysis["Administrative Network Activity Analysis"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
AdministrativeNetworkActivityAnalysis["Administrative Network Activity Analysis"] -.->
| May Detect | T1546["Event Triggered Execution"] ;
class AdministrativeNetworkActivityAnalysis DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click AdministrativeNetworkActivityAnalysis href "/technique/d3f:AdministrativeNetworkActivityAnalysis";
ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
| May Detect | T1546["Event Triggered Execution"] ;
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection";
Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
| May Detect | T1546["Event Triggered Execution"] ;
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling";
NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
| May Detect | T1546["Event Triggered Execution"] ;
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation";
RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
| May Detect | T1546["Event Triggered Execution"] ;
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection";
ConnectionAttemptAnalysis["Connection Attempt Analysis"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
ConnectionAttemptAnalysis["Connection Attempt Analysis"] -.->
| May Detect | T1546["Event Triggered Execution"] ;
class ConnectionAttemptAnalysis DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click ConnectionAttemptAnalysis href "/technique/d3f:ConnectionAttemptAnalysis";
PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
| May Detect | T1546["Event Triggered Execution"] ;
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis";
ProcessSpawnAnalysis["Process Spawn Analysis"] -->
| analyzes | Process["Process"];
ProcessSpawnAnalysis["Process Spawn Analysis"] -.->
| May Detect | T1546["Event Triggered Execution"] ;
class ProcessSpawnAnalysis DefensiveTechniqueNode;
class Process ArtifactNode;
click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis";
ProcessSpawnAnalysis["Process Spawn Analysis"] -->
| analyzes | CreateProcess["Create Process"];
class ProcessSpawnAnalysis DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis";
SystemCallAnalysis["System Call Analysis"] -->
| analyzes | CreateProcess["Create Process"];
SystemCallAnalysis["System Call Analysis"] -.->
| May Detect | T1546["Event Triggered Execution"] ;
class SystemCallAnalysis DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis";
ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -->
| analyzes | Process["Process"];
ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -.->
| May Detect | T1546["Event Triggered Execution"] ;
class ProcessSelf-ModificationDetection DefensiveTechniqueNode;
class Process ArtifactNode;
click ProcessSelf-ModificationDetection href "/technique/d3f:ProcessSelf-ModificationDetection";
UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
| May Detect | T1546["Event Triggered Execution"] ;
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis";
ProcessSuspension["Process Suspension"] -->
| suspends | Process["Process"];
ProcessSuspension["Process Suspension"] -.->
| May Evict | T1546["Event Triggered Execution"] ;
class ProcessSuspension DefensiveTechniqueNode;
class Process ArtifactNode;
click ProcessSuspension href "/technique/d3f:ProcessSuspension";
ProcessTermination["Process Termination"] -->
| terminates | Process["Process"];
ProcessTermination["Process Termination"] -.->
| May Evict | T1546["Event Triggered Execution"] ;
class ProcessTermination DefensiveTechniqueNode;
class Process ArtifactNode;
click ProcessTermination href "/technique/d3f:ProcessTermination";
FileRemoval["File Removal"] -->
| deletes | ExecutableScript["Executable Script"];
FileRemoval["File Removal"] -.->
| May Evict | T1546["Event Triggered Execution"] ;
class FileRemoval DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click FileRemoval href "/technique/d3f:FileRemoval";
FileRemoval["File Removal"] -->
| deletes | PowerShellProfileScript["PowerShell Profile Script"];
class FileRemoval DefensiveTechniqueNode;
class PowerShellProfileScript ArtifactNode;
click FileRemoval href "/technique/d3f:FileRemoval";
FileRemoval["File Removal"] -->
| deletes | ExecutableFile["Executable File"];
class FileRemoval DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileRemoval href "/technique/d3f:FileRemoval";
FileRemoval["File Removal"] -->
| deletes | PropertyListFile["Property List File"];
class FileRemoval DefensiveTechniqueNode;
class PropertyListFile ArtifactNode;
click FileRemoval href "/technique/d3f:FileRemoval";
FileRemoval["File Removal"] -->
| deletes | SharedLibraryFile["Shared Library File"];
class FileRemoval DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click FileRemoval href "/technique/d3f:FileRemoval";
FileRemoval["File Removal"] -->
| deletes | ExecutableBinary["Executable Binary"];
class FileRemoval DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click FileRemoval href "/technique/d3f:FileRemoval";
FileRemoval["File Removal"] -->
| deletes | UserInitConfigurationFile["User Init Configuration File"];
class FileRemoval DefensiveTechniqueNode;
class UserInitConfigurationFile ArtifactNode;
click FileRemoval href "/technique/d3f:FileRemoval";
FileEncryption["File Encryption"] -->
| encrypts | ExecutableBinary["Executable Binary"];
FileEncryption["File Encryption"] -.->
| May Harden | T1546["Event Triggered Execution"] ;
class FileEncryption DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption";
FileEncryption["File Encryption"] -->
| encrypts | SharedLibraryFile["Shared Library File"];
class FileEncryption DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption";
FileEncryption["File Encryption"] -->
| encrypts | UserInitConfigurationFile["User Init Configuration File"];
class FileEncryption DefensiveTechniqueNode;
class UserInitConfigurationFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption";
FileEncryption["File Encryption"] -->
| encrypts | PropertyListFile["Property List File"];
class FileEncryption DefensiveTechniqueNode;
class PropertyListFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption";
LocalFilePermissions["Local File Permissions"] -->
| restricts | ExecutableBinary["Executable Binary"];
LocalFilePermissions["Local File Permissions"] -.->
| May Harden | T1546["Event Triggered Execution"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions";
FileEncryption["File Encryption"] -->
| encrypts | ExecutableScript["Executable Script"];
class FileEncryption DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption";
LocalFilePermissions["Local File Permissions"] -->
| restricts | UserInitConfigurationFile["User Init Configuration File"];
class LocalFilePermissions DefensiveTechniqueNode;
class UserInitConfigurationFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions";
LocalFilePermissions["Local File Permissions"] -->
| restricts | SharedLibraryFile["Shared Library File"];
class LocalFilePermissions DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions";
LocalFilePermissions["Local File Permissions"] -->
| restricts | ExecutableScript["Executable Script"];
class LocalFilePermissions DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions";
FileEncryption["File Encryption"] -->
| encrypts | PowerShellProfileScript["PowerShell Profile Script"];
class FileEncryption DefensiveTechniqueNode;
class PowerShellProfileScript ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption";
LocalFilePermissions["Local File Permissions"] -->
| restricts | PropertyListFile["Property List File"];
class LocalFilePermissions DefensiveTechniqueNode;
class PropertyListFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions";
FileEncryption["File Encryption"] -->
| encrypts | ExecutableFile["Executable File"];
class FileEncryption DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption";
LocalFilePermissions["Local File Permissions"] -->
| restricts | PowerShellProfileScript["PowerShell Profile Script"];
class LocalFilePermissions DefensiveTechniqueNode;
class PowerShellProfileScript ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions";
LocalFilePermissions["Local File Permissions"] -->
| restricts | ExecutableFile["Executable File"];
class LocalFilePermissions DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions";
SoftwareUpdate["Software Update"] -->
| updates | Shim["Shim"];
SoftwareUpdate["Software Update"] -.->
| May Harden | T1546["Event Triggered Execution"] ;
class SoftwareUpdate DefensiveTechniqueNode;
class Shim ArtifactNode;
click SoftwareUpdate href "/technique/d3f:SoftwareUpdate";
SystemConfigurationPermissions["System Configuration Permissions"] -->
| restricts | SystemConfigurationDatabase["System Configuration Database"];
SystemConfigurationPermissions["System Configuration Permissions"] -.->
| May Harden | T1546["Event Triggered Execution"] ;
class SystemConfigurationPermissions DefensiveTechniqueNode;
class SystemConfigurationDatabase ArtifactNode;
click SystemConfigurationPermissions href "/technique/d3f:SystemConfigurationPermissions";
ExecutableAllowlisting["Executable Allowlisting"] -->
| blocks | ExecutableScript["Executable Script"];
ExecutableAllowlisting["Executable Allowlisting"] -.->
| May Isolate | T1546["Event Triggered Execution"] ;
class ExecutableAllowlisting DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting";
ExecutableAllowlisting["Executable Allowlisting"] -->
| restricts | CreateProcess["Create Process"];
class ExecutableAllowlisting DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting";
ExecutableAllowlisting["Executable Allowlisting"] -->
| blocks | ExecutableBinary["Executable Binary"];
class ExecutableAllowlisting DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting";
ExecutableDenylisting["Executable Denylisting"] -->
| blocks | ExecutableFile["Executable File"];
ExecutableDenylisting["Executable Denylisting"] -.->
| May Isolate | T1546["Event Triggered Execution"] ;
class ExecutableDenylisting DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting";
ExecutableAllowlisting["Executable Allowlisting"] -->
| blocks | PowerShellProfileScript["PowerShell Profile Script"];
class ExecutableAllowlisting DefensiveTechniqueNode;
class PowerShellProfileScript ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting";
ExecutableAllowlisting["Executable Allowlisting"] -->
| blocks | ExecutableFile["Executable File"];
class ExecutableAllowlisting DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting";
ExecutableDenylisting["Executable Denylisting"] -->
| blocks | ExecutableBinary["Executable Binary"];
class ExecutableDenylisting DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting";
ExecutableDenylisting["Executable Denylisting"] -->
| blocks | PowerShellProfileScript["PowerShell Profile Script"];
class ExecutableDenylisting DefensiveTechniqueNode;
class PowerShellProfileScript ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting";
ExecutableDenylisting["Executable Denylisting"] -->
| restricts | CreateProcess["Create Process"];
class ExecutableDenylisting DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting";
ExecutableDenylisting["Executable Denylisting"] -->
| blocks | ExecutableScript["Executable Script"];
class ExecutableDenylisting DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting";
Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
| restricts | CreateProcess["Create Process"];
Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.->
| May Isolate | T1546["Event Triggered Execution"] ;
class Hardware-basedProcessIsolation DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation";
Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
| isolates | Process["Process"];
class Hardware-basedProcessIsolation DefensiveTechniqueNode;
class Process ArtifactNode;
click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation";
NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
NetworkTrafficFiltering["Network Traffic Filtering"] -.->
| May Isolate | T1546["Event Triggered Execution"] ;
class NetworkTrafficFiltering DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering";
AssetVulnerabilityEnumeration["Asset Vulnerability Enumeration"] -->
| evaluates | PropertyListFile["Property List File"];
AssetVulnerabilityEnumeration["Asset Vulnerability Enumeration"] -.->
| May Model | T1546["Event Triggered Execution"] ;
class AssetVulnerabilityEnumeration DefensiveTechniqueNode;
class PropertyListFile ArtifactNode;
click AssetVulnerabilityEnumeration href "/technique/d3f:AssetVulnerabilityEnumeration";
ConfigurationInventory["Configuration Inventory"] -->
| inventories | SystemConfigurationDatabaseRecord["System Configuration Database Record"];
ConfigurationInventory["Configuration Inventory"] -.->
| May Model | T1546["Event Triggered Execution"] ;
class ConfigurationInventory DefensiveTechniqueNode;
class SystemConfigurationDatabaseRecord ArtifactNode;
click ConfigurationInventory href "/technique/d3f:ConfigurationInventory";
AssetVulnerabilityEnumeration["Asset Vulnerability Enumeration"] -->
| evaluates | ExecutableBinary["Executable Binary"];
class AssetVulnerabilityEnumeration DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click AssetVulnerabilityEnumeration href "/technique/d3f:AssetVulnerabilityEnumeration";
AssetVulnerabilityEnumeration["Asset Vulnerability Enumeration"] -->
| evaluates | SystemConfigurationDatabaseRecord["System Configuration Database Record"];
class AssetVulnerabilityEnumeration DefensiveTechniqueNode;
class SystemConfigurationDatabaseRecord ArtifactNode;
click AssetVulnerabilityEnumeration href "/technique/d3f:AssetVulnerabilityEnumeration";
AssetVulnerabilityEnumeration["Asset Vulnerability Enumeration"] -->
| evaluates | CreateProcess["Create Process"];
class AssetVulnerabilityEnumeration DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click AssetVulnerabilityEnumeration href "/technique/d3f:AssetVulnerabilityEnumeration";
ConfigurationInventory["Configuration Inventory"] -->
| inventories | ConfigurationResource["Configuration Resource"];
class ConfigurationInventory DefensiveTechniqueNode;
class ConfigurationResource ArtifactNode;
click ConfigurationInventory href "/technique/d3f:ConfigurationInventory";
ConfigurationInventory["Configuration Inventory"] -->
| inventories | ShimDatabase["Shim Database"];
class ConfigurationInventory DefensiveTechniqueNode;
class ShimDatabase ArtifactNode;
click ConfigurationInventory href "/technique/d3f:ConfigurationInventory";
AssetVulnerabilityEnumeration["Asset Vulnerability Enumeration"] -->
| evaluates | ConfigurationResource["Configuration Resource"];
class AssetVulnerabilityEnumeration DefensiveTechniqueNode;
class ConfigurationResource ArtifactNode;
click AssetVulnerabilityEnumeration href "/technique/d3f:AssetVulnerabilityEnumeration";
AssetVulnerabilityEnumeration["Asset Vulnerability Enumeration"] -->
| evaluates | Shim["Shim"];
class AssetVulnerabilityEnumeration DefensiveTechniqueNode;
class Shim ArtifactNode;
click AssetVulnerabilityEnumeration href "/technique/d3f:AssetVulnerabilityEnumeration";
AssetVulnerabilityEnumeration["Asset Vulnerability Enumeration"] -->
| evaluates | EventLog["Event Log"];
class AssetVulnerabilityEnumeration DefensiveTechniqueNode;
class EventLog ArtifactNode;
click AssetVulnerabilityEnumeration href "/technique/d3f:AssetVulnerabilityEnumeration";
DataInventory["Data Inventory"] -->
| inventories | SystemConfigurationDatabase["System Configuration Database"];
DataInventory["Data Inventory"] -.->
| May Model | T1546["Event Triggered Execution"] ;
class DataInventory DefensiveTechniqueNode;
class SystemConfigurationDatabase ArtifactNode;
click DataInventory href "/technique/d3f:DataInventory";
AssetVulnerabilityEnumeration["Asset Vulnerability Enumeration"] -->
| evaluates | Process["Process"];
class AssetVulnerabilityEnumeration DefensiveTechniqueNode;
class Process ArtifactNode;
click AssetVulnerabilityEnumeration href "/technique/d3f:AssetVulnerabilityEnumeration";
AssetVulnerabilityEnumeration["Asset Vulnerability Enumeration"] -->
| evaluates | Command["Command"];
class AssetVulnerabilityEnumeration DefensiveTechniqueNode;
class Command ArtifactNode;
click AssetVulnerabilityEnumeration href "/technique/d3f:AssetVulnerabilityEnumeration";
AssetVulnerabilityEnumeration["Asset Vulnerability Enumeration"] -->
| evaluates | SystemConfigurationDatabase["System Configuration Database"];
class AssetVulnerabilityEnumeration DefensiveTechniqueNode;
class SystemConfigurationDatabase ArtifactNode;
click AssetVulnerabilityEnumeration href "/technique/d3f:AssetVulnerabilityEnumeration";
AssetVulnerabilityEnumeration["Asset Vulnerability Enumeration"] -->
| evaluates | ExecutableFile["Executable File"];
class AssetVulnerabilityEnumeration DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click AssetVulnerabilityEnumeration href "/technique/d3f:AssetVulnerabilityEnumeration";
AssetVulnerabilityEnumeration["Asset Vulnerability Enumeration"] -->
| evaluates | ExecutableScript["Executable Script"];
class AssetVulnerabilityEnumeration DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click AssetVulnerabilityEnumeration href "/technique/d3f:AssetVulnerabilityEnumeration";
AssetVulnerabilityEnumeration["Asset Vulnerability Enumeration"] -->
| evaluates | UserInitConfigurationFile["User Init Configuration File"];
class AssetVulnerabilityEnumeration DefensiveTechniqueNode;
class UserInitConfigurationFile ArtifactNode;
click AssetVulnerabilityEnumeration href "/technique/d3f:AssetVulnerabilityEnumeration";
AssetVulnerabilityEnumeration["Asset Vulnerability Enumeration"] -->
| evaluates | SharedLibraryFile["Shared Library File"];
class AssetVulnerabilityEnumeration DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click AssetVulnerabilityEnumeration href "/technique/d3f:AssetVulnerabilityEnumeration";
AssetVulnerabilityEnumeration["Asset Vulnerability Enumeration"] -->
| evaluates | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
class AssetVulnerabilityEnumeration DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click AssetVulnerabilityEnumeration href "/technique/d3f:AssetVulnerabilityEnumeration";
SoftwareInventory["Software Inventory"] -->
| inventories | Shim["Shim"];
SoftwareInventory["Software Inventory"] -.->
| May Model | T1546["Event Triggered Execution"] ;
class SoftwareInventory DefensiveTechniqueNode;
class Shim ArtifactNode;
click SoftwareInventory href "/technique/d3f:SoftwareInventory";
AssetVulnerabilityEnumeration["Asset Vulnerability Enumeration"] -->
| evaluates | PowerShellProfileScript["PowerShell Profile Script"];
class AssetVulnerabilityEnumeration DefensiveTechniqueNode;
class PowerShellProfileScript ArtifactNode;
click AssetVulnerabilityEnumeration href "/technique/d3f:AssetVulnerabilityEnumeration";
AssetVulnerabilityEnumeration["Asset Vulnerability Enumeration"] -->
| evaluates | ShimDatabase["Shim Database"];
class AssetVulnerabilityEnumeration DefensiveTechniqueNode;
class ShimDatabase ArtifactNode;
click AssetVulnerabilityEnumeration href "/technique/d3f:AssetVulnerabilityEnumeration";
FileAnalysis["File Analysis"] -->
| analyzes | ExecutableBinary["Executable Binary"];
FileAnalysis["File Analysis"] -.->
| May Detect | T1546["Event Triggered Execution"] ;
class FileAnalysis DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis";
FileAnalysis["File Analysis"] -->
| analyzes | PropertyListFile["Property List File"];
class FileAnalysis DefensiveTechniqueNode;
class PropertyListFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis";
FileAnalysis["File Analysis"] -->
| analyzes | SharedLibraryFile["Shared Library File"];
class FileAnalysis DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis";
FileAnalysis["File Analysis"] -->
| analyzes | ExecutableScript["Executable Script"];
class FileAnalysis DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis";
FileAnalysis["File Analysis"] -->
| analyzes | UserInitConfigurationFile["User Init Configuration File"];
class FileAnalysis DefensiveTechniqueNode;
class UserInitConfigurationFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis";
FileAnalysis["File Analysis"] -->
| analyzes | ExecutableFile["Executable File"];
class FileAnalysis DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis";
FileAnalysis["File Analysis"] -->
| analyzes | PowerShellProfileScript["PowerShell Profile Script"];
class FileAnalysis DefensiveTechniqueNode;
class PowerShellProfileScript ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis";
UserSessionInitConfigAnalysis["User Session Init Config Analysis"] -->
| analyzes | UserInitConfigurationFile["User Init Configuration File"];
UserSessionInitConfigAnalysis["User Session Init Config Analysis"] -.->
| May Detect | T1546["Event Triggered Execution"] ;
class UserSessionInitConfigAnalysis DefensiveTechniqueNode;
class UserInitConfigurationFile ArtifactNode;
click UserSessionInitConfigAnalysis href "/technique/d3f:UserSessionInitConfigAnalysis";
ProcessLineageAnalysis["Process Lineage Analysis"] -->
| analyzes | Process["Process"];
ProcessLineageAnalysis["Process Lineage Analysis"] -.->
| May Detect | T1546["Event Triggered Execution"] ;
class ProcessLineageAnalysis DefensiveTechniqueNode;
class Process ArtifactNode;
click ProcessLineageAnalysis href "/technique/d3f:ProcessLineageAnalysis";
MandatoryAccessControl["Mandatory Access Control"] -->
| restricts | CreateProcess["Create Process"];
MandatoryAccessControl["Mandatory Access Control"] -.->
| May Isolate | T1546["Event Triggered Execution"] ;
class MandatoryAccessControl DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click MandatoryAccessControl href "/technique/d3f:MandatoryAccessControl";
MandatoryAccessControl["Mandatory Access Control"] -->
| isolates | Process["Process"];
class MandatoryAccessControl DefensiveTechniqueNode;
class Process ArtifactNode;
click MandatoryAccessControl href "/technique/d3f:MandatoryAccessControl";
SystemCallFiltering["System Call Filtering"] -->
| filters | CreateProcess["Create Process"];
SystemCallFiltering["System Call Filtering"] -.->
| May Isolate | T1546["Event Triggered Execution"] ;
class SystemCallFiltering DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering";